From 083e01908189b228ae2b21a877de120d669059c6 Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 02:05:30 -0400 Subject: [PATCH 01/10] Don't start empty jails, don't apply template if Bastillefile is empty --- usr/local/share/bastille/create.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 1be81266..256b37f4 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -353,7 +353,9 @@ create_jail() { chmod 0700 "${bastille_jailsdir}/${NAME}" # Jail must be started before applying the default template. -- cwells - bastille start "${NAME}" + if [ -z "${EMPTY_JAIL}" ]; then + bastille start "${NAME}" + fi if [ -n "${VNET_JAIL}" ]; then if [ -n ${bastille_template_vnet} ]; then @@ -378,7 +380,9 @@ create_jail() { fi elif [ -n "${EMPTY_JAIL}" ]; then if [ -n ${bastille_template_empty} ]; then - bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + if [ -s ${bastille_templatesdir}/${bastille_template_empty}/Bastillefile ]; then + bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" + fi fi else # Thin jail. if [ -n ${bastille_template_thin} ]; then @@ -387,7 +391,9 @@ create_jail() { fi # Apply values changed by the template. -- cwells - bastille restart "${NAME}" + if [ -z "${EMPTY_JAIL}" ]; then + bastille restart "${NAME}" + fi } # Handle special-case commands first. From b52828981571ad6f86d857fa1a6ea52330abccde Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 20:26:31 -0400 Subject: [PATCH 02/10] Don't start empty jails unless templates defined, code improvements --- usr/local/share/bastille/create.sh | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index 256b37f4..d4bb2288 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -355,6 +355,11 @@ create_jail() { # Jail must be started before applying the default template. -- cwells if [ -z "${EMPTY_JAIL}" ]; then bastille start "${NAME}" + elif [ -n "${EMPTY_JAIL}" ]; then + # Don't start empty jails unless a template defined. + if [ -n "${bastille_template_empty}" ]; then + bastille start "${NAME}" + fi fi if [ -n "${VNET_JAIL}" ]; then @@ -375,17 +380,15 @@ create_jail() { bastille template "${NAME}" ${bastille_template_vnet} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" --arg EPAIR="${uniq_epair}" --arg GATEWAY="${_gateway}" --arg IFCONFIG="${_ifconfig}" fi elif [ -n "${THICK_JAIL}" ]; then - if [ -n ${bastille_template_thick} ]; then + if [ -n "${bastille_template_thick}" ]; then bastille template "${NAME}" ${bastille_template_thick} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi elif [ -n "${EMPTY_JAIL}" ]; then - if [ -n ${bastille_template_empty} ]; then - if [ -s ${bastille_templatesdir}/${bastille_template_empty}/Bastillefile ]; then - bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" - fi + if [ -n "${bastille_template_empty}" ]; then + bastille template "${NAME}" ${bastille_template_empty} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi else # Thin jail. - if [ -n ${bastille_template_thin} ]; then + if [ -n "${bastille_template_thin}" ]; then bastille template "${NAME}" ${bastille_template_thin} --arg BASE_TEMPLATE="${bastille_template_base}" --arg HOST_RESOLV_CONF="${bastille_resolv_conf}" fi fi @@ -393,6 +396,11 @@ create_jail() { # Apply values changed by the template. -- cwells if [ -z "${EMPTY_JAIL}" ]; then bastille restart "${NAME}" + elif [ -n "${EMPTY_JAIL}" ]; then + # Don't restart empty jails unless a template defined. + if [ -n "${bastille_template_empty}" ]; then + bastille restart "${NAME}" + fi fi } @@ -526,6 +534,11 @@ if [ -z "${EMPTY_JAIL}" ]; then if [ -n "${INTERFACE}" ]; then validate_netif validate_netconf + elif [ -z "${INTERFACE}" ]; then + if [ -n "${VNET_JAIL}" ]; then + # User must specify interface on vnet jails. + error_exit "Error: Network interface not defined." + fi else validate_netconf fi From d2fcc011be382508a168af7b3162999d934b440f Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 20:30:03 -0400 Subject: [PATCH 03/10] Feature option for safe ZFS jail exports, config update --- usr/local/etc/bastille/bastille.conf.sample | 2 +- usr/local/share/bastille/export.sh | 24 +++++++++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/usr/local/etc/bastille/bastille.conf.sample b/usr/local/etc/bastille/bastille.conf.sample index a47da946..344268e1 100644 --- a/usr/local/etc/bastille/bastille.conf.sample +++ b/usr/local/etc/bastille/bastille.conf.sample @@ -51,7 +51,7 @@ bastille_network_gateway="" ## default ## Default Templates bastille_template_base="default/base" ## default: "default/base" -bastille_template_empty="default/empty" ## default: "default/empty" +bastille_template_empty="" ## default: "default/empty" bastille_template_thick="default/thick" ## default: "default/thick" bastille_template_thin="default/thin" ## default: "default/thin" bastille_template_vnet="default/vnet" ## default: "default/vnet" diff --git a/usr/local/share/bastille/export.sh b/usr/local/share/bastille/export.sh index 398c1632..9fad7b78 100644 --- a/usr/local/share/bastille/export.sh +++ b/usr/local/share/bastille/export.sh @@ -53,6 +53,7 @@ fi OPTION="${1}" EXPATH="${2}" +SAFE_EXPORT= # Handle some options if [ -n "${OPTION}" ]; then @@ -61,6 +62,8 @@ if [ -n "${OPTION}" ]; then # Temporarily disable ZFS so we can create a standard backup archive bastille_zfs_enable="NO" fi + elif [ "${OPTION}" = "-s" -o "${OPTION}" = "--safe" ]; then + SAFE_EXPORT="1" elif echo "${OPTION}" | grep -q "\/"; then if [ -d "${OPTION}" ]; then EXPATH="${OPTION}" @@ -83,6 +86,12 @@ if [ -n "${EXPATH}" ]; then fi fi +create_zfs_snap(){ + # Take a recursive temporary snapshot + info "Creating temporary ZFS snapshot for export..." + zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" +} + jail_export() { # Attempt to export the container @@ -90,11 +99,18 @@ jail_export() if [ "${bastille_zfs_enable}" = "YES" ]; then if [ -n "${bastille_zfs_zpool}" ]; then FILE_EXT="xz" - info "Exporting '${TARGET}' to a compressed .${FILE_EXT} archive." - info "Sending ZFS data stream..." - # Take a recursive temporary snapshot - zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" + if [ -n "${SAFE_EXPORT}" ]; then + info "Safely exporting '${TARGET}' to a compressed .${FILE_EXT} archive." + bastille stop ${TARGET} + create_zfs_snap + bastille start ${TARGET} + else + info "Hot exporting '${TARGET}' to a compressed .${FILE_EXT} archive." + create_zfs_snap + fi + + info "Sending ZFS data stream..." # Export the container recursively and cleanup temporary snapshots zfs send -R "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${TARGET}@bastille_export_${DATE}" | \ xz ${bastille_compress_xz_options} > "${bastille_backupsdir}/${TARGET}_${DATE}.${FILE_EXT}" From 665cc19ce686b6702493f692c65da113bbb85c8c Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 8 Jan 2021 22:37:18 -0400 Subject: [PATCH 04/10] Properly link shared ports on thin jails --- usr/local/share/bastille/create.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index d4bb2288..e454bda7 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -261,6 +261,13 @@ create_jail() { for _link in ${LINK_LIST}; do ln -sf /.bastille/${_link} ${_link} done + # Properly link shared ports on thin jails in read-write. + if [ -d "${bastille_releasesdir}/${RELEASE}/usr/ports" ]; then + if [ ! -d "${bastille_jail_path}/usr/ports" ]; then + mkdir ${bastille_jail_path}/usr/ports + fi + echo -e "${bastille_releasesdir}/${RELEASE}/usr/ports ${bastille_jail_path}/usr/ports nullfs rw 0 0" >> "${bastille_jail_fstab}" + fi fi if [ -z "${THICK_JAIL}" ]; then @@ -363,7 +370,7 @@ create_jail() { fi if [ -n "${VNET_JAIL}" ]; then - if [ -n ${bastille_template_vnet} ]; then + if [ -n "${bastille_template_vnet}" ]; then ## rename interface to generic vnet0 uniq_epair=$(grep vnet.interface "${bastille_jailsdir}/${NAME}/jail.conf" | awk '{print $3}' | sed 's/;//') From 996e7e2b40db2139ed696c17de63e947093d2d28 Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 9 Jan 2021 16:18:11 -0400 Subject: [PATCH 05/10] Option to enable/disable jail auto-start using sysrc --- usr/local/bin/bastille | 4 +- usr/local/share/bastille/disable.sh | 91 ++++++++++++++++++++++++++++ usr/local/share/bastille/enable.sh | 94 +++++++++++++++++++++++++++++ 3 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 usr/local/share/bastille/disable.sh create mode 100644 usr/local/share/bastille/enable.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 46ec8f2d..2a200528 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -90,7 +90,9 @@ Available Commands: cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. + disable Prevent a container auto-start during host reboots. edit Edit container configuration files (advanced). + enable Allow a container auto-start during host reboots. export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). @@ -135,7 +137,7 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify) +bootstrap|create|destroy|disable|enable|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) diff --git a/usr/local/share/bastille/disable.sh b/usr/local/share/bastille/disable.sh new file mode 100644 index 00000000..9ee098a3 --- /dev/null +++ b/usr/local/share/bastille/disable.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# +# Copyright (c) 2018-2021, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_exit "Usage: bastille disable TARGET" +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" + +# Gather bastille list info(sysrc targets /etc/rc.conf by default). +# Default bastille rc vars are bastille_enable and bastille_list. +BASTILLE_DISABLE_STAT=$(sysrc -qn bastille_enable) +BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") + +bastille_disable_check(){ + # Check bastille disable status. + if [ "${BASTILLE_DISABLE_STAT}" != "NO" ]; then + sysrc bastille_enable="NO" + fi +} + +if [ "${TARGET}" = 'ALL' ]; then + if [ -n "${BASILLE_LIST_CURRENT}" ]; then + # Clear current startup list. + info "Disabling all jails..." + sysrc bastille_list= + info "All jails disabled." + elif [ -z "${BASILLE_LIST_CURRENT}" ]; then + error_exit "All jails already disabled." + fi + bastille_disable_check +fi + +if [ "${TARGET}" != 'ALL' ]; then + # Check if jail exist. + if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then + error_exit "[${TARGET}]: Not found." + fi + + # Check if jail is already disabled. + if [ -z "${BASTILLE_LIST_TARGET}" ]; then + error_exit "${TARGET} already disabled" + fi + + # Disable the jail. + info "Disabling ${TARGET}..." + sysrc bastille_list-="${TARGET}" + info "${TARGET} disabled." +fi diff --git a/usr/local/share/bastille/enable.sh b/usr/local/share/bastille/enable.sh new file mode 100644 index 00000000..2b65323c --- /dev/null +++ b/usr/local/share/bastille/enable.sh @@ -0,0 +1,94 @@ +#!/bin/sh +# +# Copyright (c) 2018-2021, Christer Edwards +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# * Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +. /usr/local/share/bastille/common.sh +. /usr/local/etc/bastille/bastille.conf + +usage() { + error_exit "Usage: bastille enable TARGET" +} + +# Handle special-case commands first. +case "$1" in +help|-h|--help) + usage + ;; +esac + +if [ $# -gt 1 ] || [ $# -lt 1 ]; then + usage +fi + +TARGET="${1}" + +# Gather bastille list info(sysrc targets /etc/rc.conf by default). +# Default bastille rc vars are bastille_enable and bastille_list. +BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) +BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") + +bastille_enable_check(){ + # Check bastille enable status. + if [ "${BASTILLE_ENABLE_STAT}" != "YES" ]; then + sysrc bastille_enable="YES" + fi +} + +if [ "${TARGET}" = 'ALL' ]; then + if [ -n "${BASILLE_LIST_CURRENT}" ]; then + # Clear current list to re-apply default jail startup list. + info "Clearing current startup list..." + sysrc bastille_list= + fi + + info "Enabling all jails..." + bastille_enable_check + BASTILLE_LIST_ALL=$(echo $(bastille list jails)) + sysrc bastille_list="${BASTILLE_LIST_ALL}" + info "All jails enabled." +fi + +if [ "${TARGET}" != 'ALL' ]; then + # Check if jail exist. + if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then + error_exit "[${TARGET}]: Not found." + fi + + # Check if jail is already enabled. + if [ -n "${BASTILLE_LIST_TARGET}" ]; then + error_exit "${TARGET} already enabled" + fi + + # Enable the jail. + info "Enabling ${TARGET}..." + bastille_enable_check + sysrc bastille_list+="${TARGET}" + info "${TARGET} enabled." +fi From ed8ff8bd802c3373b81a30a15a1057009ab71f11 Mon Sep 17 00:00:00 2001 From: Jose Date: Sat, 9 Jan 2021 21:24:05 -0400 Subject: [PATCH 06/10] Fix to properly upgrade base releases --- usr/local/share/bastille/upgrade.sh | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/upgrade.sh b/usr/local/share/bastille/upgrade.sh index dbd0ee9b..52c9c295 100644 --- a/usr/local/share/bastille/upgrade.sh +++ b/usr/local/share/bastille/upgrade.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -91,7 +91,9 @@ release_upgrade() { # Upgrade a release if [ -d "${bastille_releasesdir}/${TARGET}" ]; then release_check - freebsd-update ${OPTION} -b "${bastille_releasesdir}/${TARGET}" -r "${NEWRELEASE}" upgrade + env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" --currently-running "${TARGET}" -r "${NEWRELEASE}" upgrade + echo + echo -e "${COLOR_YELLOW}Please run 'bastille upgrade ${TARGET} install' to finish installing updates.${COLOR_RESET}" else error_exit "${TARGET} not found. See 'bastille bootstrap'." fi @@ -121,9 +123,22 @@ jail_updates_install() { fi } +release_updates_install() { + # Finish installing upgrade on a release + if [ -d "${bastille_releasesdir}/${TARGET}" ]; then + env PAGER="/bin/cat" freebsd-update ${OPTION} --not-running-from-cron -b "${bastille_releasesdir}/${TARGET}" install + else + error_exit "${TARGET} not found. See 'bastille bootstrap'." + fi +} + # Check what we should upgrade if echo "${TARGET}" | grep -q "[0-9]\{2\}.[0-9]-RELEASE"; then - release_upgrade + if [ "${NEWRELEASE}" = "install" ]; then + release_updates_install + else + release_upgrade + fi elif [ "${NEWRELEASE}" = "install" ]; then jail_updates_install else From 6aa84cb3f51b2a275677c7492dcce3848b4167b2 Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 10 Jan 2021 02:26:40 -0400 Subject: [PATCH 07/10] Small cosmetic/typo corrections --- usr/local/share/bastille/disable.sh | 10 +++++----- usr/local/share/bastille/enable.sh | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/disable.sh b/usr/local/share/bastille/disable.sh index 9ee098a3..504321bb 100644 --- a/usr/local/share/bastille/disable.sh +++ b/usr/local/share/bastille/disable.sh @@ -50,24 +50,24 @@ TARGET="${1}" # Gather bastille list info(sysrc targets /etc/rc.conf by default). # Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_DISABLE_STAT=$(sysrc -qn bastille_enable) -BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") bastille_disable_check(){ # Check bastille disable status. - if [ "${BASTILLE_DISABLE_STAT}" != "NO" ]; then + BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) + if [ "${BASTILLE_ENABLE_STAT}" != "NO" ]; then sysrc bastille_enable="NO" fi } if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASILLE_LIST_CURRENT}" ]; then + if [ -n "${BASTILLE_LIST_CURRENT}" ]; then # Clear current startup list. info "Disabling all jails..." sysrc bastille_list= info "All jails disabled." - elif [ -z "${BASILLE_LIST_CURRENT}" ]; then + elif [ -z "${BASTILLE_LIST_CURRENT}" ]; then error_exit "All jails already disabled." fi bastille_disable_check diff --git a/usr/local/share/bastille/enable.sh b/usr/local/share/bastille/enable.sh index 2b65323c..6673453c 100644 --- a/usr/local/share/bastille/enable.sh +++ b/usr/local/share/bastille/enable.sh @@ -50,19 +50,19 @@ TARGET="${1}" # Gather bastille list info(sysrc targets /etc/rc.conf by default). # Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) -BASILLE_LIST_CURRENT=$(sysrc -qn bastille_list) +BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") bastille_enable_check(){ # Check bastille enable status. + BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) if [ "${BASTILLE_ENABLE_STAT}" != "YES" ]; then sysrc bastille_enable="YES" fi } if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASILLE_LIST_CURRENT}" ]; then + if [ -n "${BASTILLE_LIST_CURRENT}" ]; then # Clear current list to re-apply default jail startup list. info "Clearing current startup list..." sysrc bastille_list= From 87944a0fd0fe1f0168eac743233e43404077c82b Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 10 Jan 2021 18:55:02 -0400 Subject: [PATCH 08/10] Don't allow underscore in jail name beginning, remove jail from bastille_list on destroy --- usr/local/share/bastille/create.sh | 6 ++++-- usr/local/share/bastille/destroy.sh | 8 +++++++- usr/local/share/bastille/rename.sh | 6 ++++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index e454bda7..ecff0094 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -46,7 +46,9 @@ running_jail() { validate_name() { local NAME_VERIFY=${NAME} local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_') - if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then + if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then + error_exit "Container names may not begin with (-|_) characters!" + elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" fi } diff --git a/usr/local/share/bastille/destroy.sh b/usr/local/share/bastille/destroy.sh index a4bb3c57..a3ff4a68 100644 --- a/usr/local/share/bastille/destroy.sh +++ b/usr/local/share/bastille/destroy.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -76,6 +76,12 @@ destroy_jail() { rm -rf "${bastille_jail_base}" fi + # Remove target from bastille_list if exist + # Mute sysrc output here as it may be undesirable on large startup list + if [ -n "$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/")" ]; then + sysrc bastille_list-="${TARGET}" > /dev/null + fi + ## archive jail log if [ -f "${bastille_jail_log}" ]; then mv "${bastille_jail_log}" "${bastille_jail_log}"-"$(date +%F)" diff --git a/usr/local/share/bastille/rename.sh b/usr/local/share/bastille/rename.sh index 1fb73d2a..498c4870 100644 --- a/usr/local/share/bastille/rename.sh +++ b/usr/local/share/bastille/rename.sh @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright (c) 2018-2020, Christer Edwards +# Copyright (c) 2018-2021, Christer Edwards # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -38,7 +38,9 @@ usage() { validate_name() { local NAME_VERIFY=${NEWNAME} local NAME_SANITY=$(echo "${NAME_VERIFY}" | tr -c -d 'a-zA-Z0-9-_') - if [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then + if [ -n "$(echo "${NAME_SANITY}" | awk "/^[-_].*$/" )" ]; then + error_exit "Container names may not begin with (-|_) characters!" + elif [ "${NAME_VERIFY}" != "${NAME_SANITY}" ]; then error_exit "Container names may not contain special characters!" fi } From 2474382756cce8288be8483dbdc690a2e126209e Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 12 Jan 2021 23:15:39 -0400 Subject: [PATCH 09/10] Improve interface validation on vnet jail creation --- usr/local/share/bastille/create.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/usr/local/share/bastille/create.sh b/usr/local/share/bastille/create.sh index ecff0094..a92b41e6 100644 --- a/usr/local/share/bastille/create.sh +++ b/usr/local/share/bastille/create.sh @@ -176,7 +176,7 @@ ${NAME} { vnet; vnet.interface = e0b_${uniq_epair}; - exec.prestart += "jib addm ${uniq_epair} ${INTERFACE}"; + exec.prestart += "jib addm ${uniq_epair} ${bastille_jail_conf_interface}"; exec.poststop += "jib destroy ${uniq_epair}"; } EOF @@ -543,10 +543,14 @@ if [ -z "${EMPTY_JAIL}" ]; then if [ -n "${INTERFACE}" ]; then validate_netif validate_netconf - elif [ -z "${INTERFACE}" ]; then - if [ -n "${VNET_JAIL}" ]; then - # User must specify interface on vnet jails. - error_exit "Error: Network interface not defined." + elif [ -n "${VNET_JAIL}" ]; then + if [ -z "${INTERFACE}" ]; then + if [ -z "${bastille_network_shared}" ]; then + # User must specify interface on vnet jails. + error_exit "Error: Network interface not defined." + else + validate_netconf + fi fi else validate_netconf From 15c1505187d9cca080c8da3671d76f720affec16 Mon Sep 17 00:00:00 2001 From: Jose Date: Fri, 15 Jan 2021 22:28:08 -0400 Subject: [PATCH 10/10] Revert jail enable|disable feature by now, requested for later review --- usr/local/bin/bastille | 4 +- usr/local/share/bastille/disable.sh | 91 ---------------------------- usr/local/share/bastille/enable.sh | 94 ----------------------------- 3 files changed, 1 insertion(+), 188 deletions(-) delete mode 100644 usr/local/share/bastille/disable.sh delete mode 100644 usr/local/share/bastille/enable.sh diff --git a/usr/local/bin/bastille b/usr/local/bin/bastille index 2a200528..46ec8f2d 100755 --- a/usr/local/bin/bastille +++ b/usr/local/bin/bastille @@ -90,9 +90,7 @@ Available Commands: cp cp(1) files from host to targeted container(s). create Create a new thin container or a thick container if -T|--thick option specified. destroy Destroy a stopped container or a FreeBSD release. - disable Prevent a container auto-start during host reboots. edit Edit container configuration files (advanced). - enable Allow a container auto-start during host reboots. export Exports a specified container. help Help about any command. htop Interactive process viewer (requires htop). @@ -137,7 +135,7 @@ version|-v|--version) help|-h|--help) usage ;; -bootstrap|create|destroy|disable|enable|import|list|rdr|restart|start|update|upgrade|verify) +bootstrap|create|destroy|import|list|rdr|restart|start|update|upgrade|verify) # Nothing "extra" to do for these commands. -- cwells ;; clone|config|cmd|console|convert|cp|edit|export|htop|limits|mount|pkg|rename|service|stop|sysrc|template|top|umount|zfs) diff --git a/usr/local/share/bastille/disable.sh b/usr/local/share/bastille/disable.sh deleted file mode 100644 index 504321bb..00000000 --- a/usr/local/share/bastille/disable.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2018-2021, Christer Edwards -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# * Neither the name of the copyright holder nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -. /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf - -usage() { - error_exit "Usage: bastille disable TARGET" -} - -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac - -if [ $# -gt 1 ] || [ $# -lt 1 ]; then - usage -fi - -TARGET="${1}" - -# Gather bastille list info(sysrc targets /etc/rc.conf by default). -# Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) -BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") - -bastille_disable_check(){ - # Check bastille disable status. - BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) - if [ "${BASTILLE_ENABLE_STAT}" != "NO" ]; then - sysrc bastille_enable="NO" - fi -} - -if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASTILLE_LIST_CURRENT}" ]; then - # Clear current startup list. - info "Disabling all jails..." - sysrc bastille_list= - info "All jails disabled." - elif [ -z "${BASTILLE_LIST_CURRENT}" ]; then - error_exit "All jails already disabled." - fi - bastille_disable_check -fi - -if [ "${TARGET}" != 'ALL' ]; then - # Check if jail exist. - if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then - error_exit "[${TARGET}]: Not found." - fi - - # Check if jail is already disabled. - if [ -z "${BASTILLE_LIST_TARGET}" ]; then - error_exit "${TARGET} already disabled" - fi - - # Disable the jail. - info "Disabling ${TARGET}..." - sysrc bastille_list-="${TARGET}" - info "${TARGET} disabled." -fi diff --git a/usr/local/share/bastille/enable.sh b/usr/local/share/bastille/enable.sh deleted file mode 100644 index 6673453c..00000000 --- a/usr/local/share/bastille/enable.sh +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2018-2021, Christer Edwards -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this -# list of conditions and the following disclaimer. -# -# * Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# -# * Neither the name of the copyright holder nor the names of its -# contributors may be used to endorse or promote products derived from -# this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -. /usr/local/share/bastille/common.sh -. /usr/local/etc/bastille/bastille.conf - -usage() { - error_exit "Usage: bastille enable TARGET" -} - -# Handle special-case commands first. -case "$1" in -help|-h|--help) - usage - ;; -esac - -if [ $# -gt 1 ] || [ $# -lt 1 ]; then - usage -fi - -TARGET="${1}" - -# Gather bastille list info(sysrc targets /etc/rc.conf by default). -# Default bastille rc vars are bastille_enable and bastille_list. -BASTILLE_LIST_CURRENT=$(sysrc -qn bastille_list) -BASTILLE_LIST_TARGET=$(sysrc -qn bastille_list | tr -s " " "\n" | awk "/^${TARGET}$/") - -bastille_enable_check(){ - # Check bastille enable status. - BASTILLE_ENABLE_STAT=$(sysrc -qn bastille_enable) - if [ "${BASTILLE_ENABLE_STAT}" != "YES" ]; then - sysrc bastille_enable="YES" - fi -} - -if [ "${TARGET}" = 'ALL' ]; then - if [ -n "${BASTILLE_LIST_CURRENT}" ]; then - # Clear current list to re-apply default jail startup list. - info "Clearing current startup list..." - sysrc bastille_list= - fi - - info "Enabling all jails..." - bastille_enable_check - BASTILLE_LIST_ALL=$(echo $(bastille list jails)) - sysrc bastille_list="${BASTILLE_LIST_ALL}" - info "All jails enabled." -fi - -if [ "${TARGET}" != 'ALL' ]; then - # Check if jail exist. - if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then - error_exit "[${TARGET}]: Not found." - fi - - # Check if jail is already enabled. - if [ -n "${BASTILLE_LIST_TARGET}" ]; then - error_exit "${TARGET} already enabled" - fi - - # Enable the jail. - info "Enabling ${TARGET}..." - bastille_enable_check - sysrc bastille_list+="${TARGET}" - info "${TARGET} enabled." -fi